Signing on with an outside managed security services (MSS) provider is a double-edged sword. Even after you've reviewed various product and service offerings, checked the pricing options, and identified the security answer that's right for your company, you have to hand over much of the control over your firm's security to the provider you've chosen.
Whether you're buying into a software product or a real-time service, in this arena what looks good on paper or sounds good coming from sales and technical reps may not be what you bargained for.
Your corporate survival may be at issue if your MSS vendor doesn't meet your standards or work well with your staff. To protect your firm's interests, you must hammer out specific and detailed aspects of the relationship with the MSS provider before you sign a contract.
Problem is, once your firm becomes accustomed to, and dependent on, outsourced services, you'll likely downsize your internal security staff, thus becoming even more dependent on them. Moving to another MSS with different services, staff, operating capabilities, technologies, and communication mechanisms becomes very difficult.
A solid contract is a step in the right direction, but doesn't guarantee security. Rather, it is a standard both parties are expected to maintain. Use your contract to nail down the performance standards you require of the vendor, and the expectations the vendor anticipates of your firm. If your vendor doesn't perform to standard, even a lawsuit may never remedy the damage to your financial health and corporate reputation. Consider the following contract stipulations when finalizing an agreement.
- Audit requirement. Audits help you determine how well your vendor is complying with your contract, rules, regulations, or law. A vendor's failure to maintain secure facilities, power resources, and trustworthy staff, for example, can mean unstable protection for your firm.
- Right to modify. Make sure you have the right to adjust settings to optimize your system, if necessary, for integration with other security, application, and operating system products, or to cope with changing threat environments and corporate growth. If your MSS provider refuses future contractual modifications, it's time to review the organization for long-term viability, funding sufficiency, and future plans.
- Disaster recovery. Include specifics about the rights, duties, and procedures for both parties in the event of major breaches or intrusions associated with the software or service. This is particularly important in order to avoid chaos and assure synchronization; don't fall into a CD Universe-like calamity, where the company's reactions to a breach ultimately destroyed its recourse to prosecution or litigation.
- Center access. As a customer, you should have limited rights to inspect the security operation centers, operating practices, and processing facilities of the vendor. You should be able to view security, storage, and communication systems. While the audit requirement normally permits independent third-party evaluation, this feature enables your firm's staff to visit a vendor on occasion to confirm physical and communication consistency. Be prepared to offer access to your facilities, whether remotely or physically, by your MSS and perhaps product vendor.
- Termination conditions. Since online security takes on such a vital role in most modern companies, vendor termination (whether voluntary or involuntary) is a serious matter and should be explicitly detailed in the contract. Avoid setting up drop-dead conditions where services abruptly halt, since this may hinder you from making an adequate transition to a new provider, should the need arise. These wild times in the security industry make for higher customer risk, especially with the long-term viability of the average two-year-old security vendor still in question. If your supplier's longevity is at issue, the vendor should offer liability coverage in case services terminate due to acquisition, merger, or bankruptcy.
- Corporate data. Specify the ownership of your corporate data and the conditions under which it can be disclosed. Insist that all corporate data be forwarded to you and deleted from vendor records upon termination of the agreement.
- Other important conditions. Include clauses covering company system requirements, conditions under which software will be accepted, and software ownership rights. For any software, specify warrantee information that attests to the quality, performance, or condition of delivered software as well as developer skills.
Be sure to include corporate counsel in the contract negotiation process; they can prepare needed clauses and review vendor contract provisions. While a contract won't guarantee satisfactory security performance, it will give you a basis for confidence in the provider you've selected. The process of negotiating the contract and coming to a final agreement will set the tone for your relationship with the vendor.
Dr. Goslar is principal security analyst and founder of E-PHD, LLC--a security industry research and analysis firm. A cyber-investigator and former law enforcement software engineering officer, he can be reached at firstname.lastname@example.org.